Devman

Devman is a ransomware operation first identified in early 2025 and described in reporting as a non-public, closed operation rather than a public RaaS platform. Multiple sources in the provided content link Devman to the DragonForce ecosystem or code lineage, and technical analysis states DEVMAN samples largely reuse DragonForce code derived from Conti while adding Devman-specific customization. Reported overlaps include builder strings such as "DEVMAN 3.0," near-identical ransom notes, and matching "DM"-prefixed lateral movement task naming seen in related reporting. Devman has also been described as having partnerships through multiple RaaS services including Qilin, DragonForce, and RansomHub.

The malware is associated with double-extortion activity and targeted intrusions against high-value organizations. Reporting in the content says Devman continued targeted penetration of industrial organizations and intensified targeting of critical infrastructure and healthcare, with victim concentration in Asia and Africa and some activity in Latin America and Europe. One report notes attacks encrypting all systems and NAS devices in a Thailand incident. Another states Devman transitioned from version 1.0 written in C++ to version 2.0 in Rust.

Observed Devman indicators and behaviors include encrypted file extensions ".DEVMAN" and ".devman1," and a deterministic ransom-note filename "e47qfsnz2trbkhnt.devman." Technical analysis of a DEVMAN sample found it appending the .DEVMAN extension, scrambling filenames, probing SMB shares including ADMIN$ for discovery and lateral movement, checking for Volume Shadow Copies, using the Windows Restart Manager to access locked files, and supporting full, header-only, and custom encryption modes. The sample appeared to operate largely offline with no observed external C2 beyond SMB probing. A builder flaw reportedly caused the malware to encrypt its own ransom notes, leaving scrambled .DEVMAN files instead of readable notes. Additional reported artifacts include a hardcoded mutex "hsfjuukjzloqu28oajh727190" and Restart Manager-related mutexes following the pattern "Local\RstrMgr-[GUID]-Session0000."

The content associates Devman with over 180 claimed victims in one reference, while other reporting cites nearly 40 claimed victims and Q1 2026 victim counts declining from 82 to 25 after operator "Tramp," described as a former Conti and Black Basta affiliate, was added to Interpol’s wanted list in January 2026. Devman’s February 2026 dormancy is noted as coinciding with the debut of Vect, prompting reporting about possible continuity or rebranding, but that linkage remains inferential in the provided material.

High-confidence IOCs directly mentioned in the content include encrypted extensions ".DEVMAN" and ".devman1," ransom-note filename "e47qfsnz2trbkhnt.devman," MD5 "e84270afa3030b48dc9e0c53a35c65aa," SHA256 "df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7," and SHA256 "018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8."